I suspect they won't know. This information was only obtained after
they examined a certificate created in what they consider the "normal"
means: by using their CA that comes with a Windows application they
sell. It's basically just a MS CA. All of this was discovered when I
complained LOUDLY th
Because your vendor doesn't follow the latest ipsec specification,
which states that only keyUsage nonRepudiation,digitalSignature should
be required, and no extendedKeyUsage should be required. However,
looking at http://www.oid-info.com/cgi-bin/display?tree=1.3.6.1.5.5.8.2
says that 1.3.6.1.5.5.
Here's what I had to add to the config to get it to work (as listed by
the vendor):
[ new_oids ]
pkixeku=1.3.6.1.5.5.8.2
ikeIntermediate=${pkixeku}.2
[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate
Any thoughts on
Well, those attributes will work (minus the IKE one-it was not
recognized) but the Watchguard does not assign it with a type of
IPSec, so I've contacted Watchguard support to request the expected
extended attributes for this. I will post a reply as soon as I know.
On Tue, Aug 26, 2008 at 1:41 PM,
This is a bug, per RFC 4549. Please submit a report to your vendor.
(The semantics of the OIDs were never well-defined, and they have been
obsoleted -- according to RFC4549, having keyUsage=digitalSignature
and no EKU should work for IPsec.)
In the [new_oids] section, add new lines:
pkixeku=1.3.
Hi Chris:
Chris Zimmerman wrote:
> Thanks to all of you in your assistance. With the recommended changes
> to the openssl.cnf file, I have successfully signed the CSR from the
> Watchguard box and imported it as a web cert (the Type that the
> Watchguard box sees). However, in order to use it fo
Thanks to all of you in your assistance. With the recommended changes
to the openssl.cnf file, I have successfully signed the CSR from the
Watchguard box and imported it as a web cert (the Type that the
Watchguard box sees). However, in order to use it for VPN tunnels,
the device needs it to be a
Please remove yourself from the openssl mailing list following the
instructions at the bottom of this email.
-Kyle H
On Tue, Aug 26, 2008 at 11:56 AM, <[EMAIL PROTECTED]> wrote:
> I have no idea who you are,or what you are talking about,but, obviously you
> are sending this mail to the wrong adr
I have no idea who you are,or what you are talking about,but, obviously you are
sending this mail to the wrong adress. please check your source, and try a
different e-mail adress.
I have no idea who you are,or what you are talking about,but, obviously you are
sending this mail to the wrong adress. please check your source, and try a
different e-mail adress.
__
OpenSSL Project
I have no idea who you are,or what you are talking about,but, obviously you are
sending this mail to the wrong adress. please check your source, and try a
different e-mail adress.
__
OpenSSL Project
Chris:
On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
> There is no ExtendedKeyUsage extension.
>
> To fix this, in your openssl.cnf file in section [usr_cert] there is a
> commented-out line that needs to be uncommented.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
[usr_cert] is the appropriate section.
This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
-Kyle H
On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
<[EMAIL PROTECTED]> wrote:
> What is the appropriate section?
>
> Sorry if this is a basic question, but I am working on im
What is the appropriate section?
Sorry if this is a basic question, but I am working on improving my knowledge.
On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
<[EMAIL PROTECTED]> wrote:
> Chris:
>
> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>> There is no ExtendedKeyUsage exten
thanks for catching that. :)
-Kyle H
On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
<[EMAIL PROTECTED]> wrote:
> Chris:
>
> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>> There is no ExtendedKeyUsage extension.
>>
>> To fix this, in your openssl.cnf file in section [usr_cert] the
Chris:
On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
> There is no ExtendedKeyUsage extension.
>
> To fix this, in your openssl.cnf file in section [usr_cert] there is a
> commented-out line that needs to be uncommented.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
There is no ExtendedKeyUsage extension.
To fix this, in your openssl.cnf file in section [usr_cert] there is a
commented-out line that needs to be uncommented.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
Then generate a new certificate.
-Kyle H
On Tue, Aug 26, 2008 at 9:20 A
Here's the cert for the Watchguard:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
CN=Company Root CA/[EMAIL PROTECTED]
Validity
N
openssl x509 -in [filename] -noout -text -inform PEM
-Kyle H
On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
<[EMAIL PROTECTED]> wrote:
> That command seems to have a syntax problem, showing: "unknown option
> [cert.pem-inserted my cert here]"
>
>
>
> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson
That command seems to have a syntax problem, showing: "unknown option
[cert.pem-inserted my cert here]"
On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]> wrote:
> Chris Zimmerman wrote:
>>
>> I am working to setup a Watchguard firewall with x509 certs for VPN
>> tunnels. I have c
Hi Chris:
On August 26, 2008 01:06:00 am Chris Zimmerman wrote:
> I am working to setup a Watchguard firewall with x509 certs for VPN
> tunnels. I have created my own CA on my laptop and I have created a
> CSR on the Watchguard product. I have then signed the CSR with my CA
> certificate success
I am working to setup a Watchguard firewall with x509 certs for VPN
tunnels. I have created my own CA on my laptop and I have created a
CSR on the Watchguard product. I have then signed the CSR with my CA
certificate successfully which then imports into the Watchguard.
Here's the problem: Watchgu
22 matches
Mail list logo
